It could get a little messy but in theory you could create a VLAN for each scenario:

VLAN 2 - I have a media server and two media computers I want to be able to “talk” with each other but not with any other computer on the network.

VLAN 3 - I have a desktop computer that I don't want to “talk” with any computers on the network (just needs wired internet access)

VLANs 4 & 5 - I have two laptops that need wired and wireless internet access but should not be able to talk to each other or any other computers on the network.

Assuming there is no interVLAN routing it should isolate those PCs in each scenario. Now just connect your switch to the net using the dot1q trunk.

Please rate if helpful.

Regards

I'm only familiar with the slm2008, never worked with any of the others.  For all those different scenarious, it really sounds like you will need a true IOS router (or another router brand that can do 802.1q) since you will need to do inter-vlan routing at the device that routing the internet traffic.  You could put another router on the network to do it, but why deal with another device.  I have a simple setup at home using a cisco 871 that my cable mode plugs into.  The fa0 interface is the uplink to my slm2008 in the attic.  I have 2 vlans, vlan 1 and vlan2.  vlan2 is used for my voice IP phone for work, vlan1 is just the default vlan for my other devices.

fa0 interface is the uplink from the 871 to the slm2008, and is in switchport trunk mode as well as vlan2 assigned as the voip vlan and the qos policy assigned to it via the auto qos command against the interface which automatically creates a voip qos policy

interface FastEthernet0
switchport mode trunk
switchport voice vlan 2
!
service-policy output qos_class_policy_sdm

On the SLM port 8 is the uplink to the 871 router and I i added vlan2 on the slm2008 and assigned vlan1 and vlan2 to port 8 which basically is the way to make it a trunk port.

The key and which I think is the root of your problems is you need to create vlan routing instances/interfaces (which I am thinking maybe the linksys 4000 can't do since, well, it's a linksys) which is usally a more advanced feature and available on more "true" routing devices.  For my cisco 871, its as simple as adding the following to allow inter-vlan routing as well as both vlans access to the internet.

interface Vlan1
description $FW_INSIDE$
ip address 192.168.250.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone

interface Vlan2
description $FW_INSIDE$
ip address 192.168.251.17 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone

At that point, you can control what traffic flows between interfaces/vlans via firewall-zones/ACLs.

Remember a trunk is just the ability to carry multiple logically definated networks over the same physical wire, but without a routing instance for a vlan, no traffic assigned to the vlan can ever leave/route to any other devices outside that assigned vlan, but will only be switched between devices in the the same network./vlan.

As far as why all the lights light, it is probobly due to unicast broadcast.  When a switch doesn't have a ip-to-mac record in its cam, it will flood all ports on that switch hoping that it will find it's intended target and populate it's cam tables properly.  These can become a very bad thing if the MAC address doesn't get learned  especially if a device send traffic is 1gb or 100mb and a device on the same switch is only 10mb.  The 10mb device will get destroyed.  We had this type of problem at my work, and older SPARC with only 10mb interface was getting killed becuase of a network misconfiguration that caused it.  This situation is called a unicast-storm.